geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joseph Leong (JIRA)" <j...@apache.org>
Subject [jira] Commented: (GERONIMO-3781) Plugin Installer, CRSF issue when attempting to install a new plugin
Date Tue, 05 Feb 2008 22:25:07 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-3781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12565910#action_12565910
] 

Joseph Leong commented on GERONIMO-3781:
----------------------------------------

Update:

Been spending a great deal of time on this, have found a funny scenario that fixes this issue
with expiring a cookie and some delays-  but not satisfied with that hack.  Going to put more
work into it until i iron this out solid.

Any thoughts would be appreciated.  The specific issue is at the: private void checkNotCsrfAttack(HttpServletRequest
request, String sessionCookieName) located at
http://fisheye5.cenqua.com/browse/~raw,r=1.7/dwr/java/org/directwebremoting/dwrp/Batch.java

It is throwing a session error because nothing will return true.

Due to GERONIMO-3746 being resolved, this JIRA will remain active to update the CSRF issue.

Thanks!

> Plugin Installer, CRSF issue when attempting to install a new plugin
> --------------------------------------------------------------------
>
>                 Key: GERONIMO-3781
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-3781
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: console
>    Affects Versions: 2.1, 2.1.1
>         Environment: Ubuntu 7.10, Firefox 2.0.0.6
>            Reporter: Joseph Leong
>            Assignee: Joseph Leong
>             Fix For: 2.1.1
>
>
> Plugin installer will not allow for you to install anymore plugins on a second attempt
given that it threw an exception the first time.  This is attributed to the exception thrown
that doesn't properly exit and close off current sessions.  So in the second attempt there
is a cookie/session mismatch.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message